It doesn’t seem to matter how big or small your business, everyone is being impacted one way or another by the Coronavirus outbreak. Whilst a lot of businesses are having to pause work for their employees and are putting them on furloughed salaries while there is no work for them, other businesses are looking at how they can adapt (or pivot, which seems to be a popular word at the moment) either by doing things differently (thinking outside the box on how they continue to deliver their services) or doing something completely different (e.g. changing production to products that the NHS and the care sector are in desperate need for).
One of the areas some businesses are realising is that they need to up their online game or indeed take their business online, something they possibly didn’t need to consider in the past. This means that some web developers have seen an increase in enquiries about building e-commerce sites or add-ons to existing sites to offer products to an online market. This is great, and if you have time on your hands to think along these lines, then this is great not just for your business but also the wider economy.
So, if you’re taking your business online for the first time what are the GDPR compliance issues you should be thinking about? Here’s our quick checklist of all the things you should be thinking about (and these apply whether during the Coronavirus crisis or at any time you decide to take your business online):
- Carry out a Data Protection Impact Assessment (DPIA) risk assessment. This will enable you to think about the data protection risks you should consider and mitigate, which are likely to include considering risks to personal data that you’ve not processed like this before, security implications, etc.
- Is your website up to scratch? You will need to think about what needs to be in place with your website to ensure security of data and that’s not just about adding a plugin or using a web developer to add an online store. Think about whether you’ve got an SSL certificate set up on your domain (that’s the thing that gives you a secure https:// connection for your website); whether your website software is up to date – remember you may become more of a target for hackers if they think your site may have personal data in the backend, so keep your website software updated, put software protections (e.g. website firewalls, etc.) in place if appropriate
- Decide how you’re going to manage admin access to the backend of your website. For example, if you are using a third-party to build the site and manage it for you, will they have admin access to the backend which in turn might mean access to customer data (if stored in the website database) and if so, make sure they are GDPR compliant and get a data processing contract in place with them. Furthermore, make sure that any admin users are audited regularly so that old admin users don’t still have unnecessary access
- Understand where the data you’re collecting from online sales is going to be stored – if it’s not within the EU then you will need to make sure the GDPR’s restricted transfer rules are followed for any providers or processors
- Consider your marketing wording and make sure it fits with the privacy rules around consent – remember PECR allows you to market to existing customers, but you should tell them that’s what you’re doing and give them an option to opt-out at the point of sale
- Put in place an internal website process/policy document which sets out how the website will be managed going forward, any controls for your team to ensure they maintain the site, compliance, monitor admin access, etc. Don’t assume your web developer is going to do everything for you (for example, who’s going to keep the website software up to date and monitor security fixes?)
- Update your data process register/audit file to include the new data you will be collecting, the lawful basis, etc.
💡 If you need some help with getting to grips with your DPIA or any of the above, we provide resources you can use to do this yourself, or we can help you too – either by providing you support along the way (for example our Helpline service includes reviews of DPIA), or we can just do all of it for you. Anyway, take a look at our helpline services or get in touch if you’d like some advice or want to discuss further
Providing cost-effective, simple to understand and practical GDPR and ePrivacy advice and guidance, via my one-stop-shop helpline. I ❤️ GDPR